Digital Security: An Upwork.com Scam on Linkedin?

The Nigerian prince scam is a thing of the past. Here's a story you might, under the right circumstances, actually want to believe. Still--everything about this reaks of scam!

Social networking isn't really my thing, but I keep a profile on LinkedIn. I never put a lot of energy into it, but I check in every now and then and I try to review my profile once a year--just to make sure things are still up to date. It pretty clearly says on my profile that I'm a freelancer, and I leave myself open to work even though I'm really not; I don't mind seeing what's out there, you know.

It seems like over the last few months (since Corona started) things have been getting a bit more active on LinkedIn. The demand for remote IT is definitely on the rise. So I wasn't particularly surprised when this guy, Mr. Hiroki Ishida, contacted me in an invitation to connect with what he suggested was an opportunity to make some moolah:

a message inviting me to partake in opportunity
No personalization?--really? I have a name dude; you can see it on my profile. Copy/paste much!?

There were really only two words in this that stuck out when I first read it: "collaborate" and "passive income".

  • pa$$ive income = pipe dream
  • collaborate = investment of personal time--which I don't usually give to strangers

I replied with the canned response I often give people trying to offer me work on LinkedIn: "my hands are tied with an ongoing client, but thanks for the interest!" This isn't a lie; I'm lucky to have a great long-term client and I usually don't have the bandwidth for projects outside my work with them. If I ever take on extra work beyond that, it certainly won't be for building pipe dreams with people I don't know. Mr. Ishida, here, is well outside my social network, and his LinkedIn profile indicates he lives somewhere in Japan. He can likely see I have work experience in Japan, as well as Japanese language ability (I lived in Tokyo for 9 years), and that honestly makes me want to trust him to a certain extent. Still, I don't have time for this kind of stuff.

Normally, when I give this response, people thank me for my time and move on. Mr. Ishida, on the other hand, followed up with an explanation of his plan--apparently I was misunderstanding him:

a clever ploy
"I've got a cunning plan!"

Honestly, the language here more or less checks out. His profile says he's in Japan, and the English is full of mistakes typical to speakers of Japanese: misuse of singular/plural nouns (i.e., "get a new job" vs "get new jobs"), missing or unnatural determiners (i.e., "most of clients" vs "most of the clients"), etc. He could very well be who he says he is, and the sob story about receiving less work and less pay despite more talent makes you wanna say: "awwwwww shucks!... somebody needs to give this guy a chance."

Except...

... I think he's got it backwards. The general trend, if I'm not mistaken, is for companies in the US to outsource their development/IT needs to countries outside the US (I'm looking at you, India). There's a reason why so much of American manufacturing is done outside of America; American companies know it's cheaper to get it done abroad. This is true for IT as well. In my mind, Ishida's story just doesn't add up. Having lived in Japan for 9 years, I can also pretty confidently surmise that Japanese developers are making just as much, if not more, money than their US counterparts. I know nothing about Upwork.com, but if it's "world-wide", as he says, why isn't he getting work locally in Japan?

I did a quick search at Upwork.com for Mr. Ishida to see if he has a profile there. Nothing. For someone who's been on the site for 8 years, I'd expect something...

The Actual Scam?

I don't really know how it works; I'd rather not find out. But I can see that the scam is real. Any Freelancing site like Upwork.com is going to work like an agency: they'll act as a middle man for managing contracts and payments. That means that at some point you'll be handing them your bank information. You may also need to hand them a fee to utilize their service, which could also mean that they'll have your credit card information on file. Double jeopardy!!!

The suggestion that I set up an account and then give a complete stranger access to it is sheer lunacy! The reasons should be outwardly obvious.

This scam may be old news to people in the know. It was news to me, and I gotta confess: there was a small part of me that wanted to believe this guy. It's interesting that the scam in my case and that of that link above comes from people who are, or claim to be, Japanese. Having lived in Japan for so long (my kids were born there), I have a strong affinity for Japanese people. Not strong enough for me to let down my guard, but I can't help but feel that this scam leverages a stereotype that we American's commonly hold: that Japanese people are quiet, subservient and hard working--not the kind of people to lie, let alone scam you. If you've ever been to Japan you quickly learn that it's like any other country: there are people there of all walks. And yes, there are even people willing to defraud you. Still, whether intentional or not, the scam monopolizes on inherent trust. You see this kind of manipulation at hand in bank and IRS scams as well (Why would your bank or the IRS lie to you?).

The promise of passive or easy money is supposed to close the deal alongside this trust. If I were in a similar situation to Mr. Ishida's character (i.e., I wasn't getting my fair share of work and pay), I might actually be tempted by such an idea. This might make me even more inclined to identify with him. LinkedIn seems, then, like the perfect platform for people to be running this scam on: generally speaking, people who are actively looking to grow their business networks and find new opportunities are looking to improve their work situation. Not everyone on LinkedIn will fall for this, but some just might. Mr. Ishida's profile had some 500+ connections. I would hate to think those are all people he suckered.

The amount of thought and craft that goes into a scam like this is actually quite impressive. The story needs a little work, and honestly if you're going to claim to have been on Upwork.com for 8 years, you should have a profile there. Still, it serves as a reminder that modern attack vectors don't always rely on hardcore hacking: sometimes the vectors are much more personal--like inherent trust and despair.

By sheer chance, this message came to me after a long day of reading through security documents. By the time this hit my browser, risk management was already fresh in my mind. I've reported this profile to LinkedIn. I wish the reporting system was a little more robust, but it's better than nothing.

Update (03/22/21)

The scam continues. In fact, it looks like the copy hasn't changed at all. I got this in my inbox this morning--it's a verbatim copy of the message I received from the Ishida account:

another upwork scam found on linkedin
The internet is a dangerous place.

 

Tags